Confirmed users
299
edits
SecurityEngineering/mozpkix-testing: Difference between revisions
Jump to navigation
Jump to search
SecurityEngineering/mozpkix-testing (view source)
Revision as of 21:42, 10 April 2014
, 10 April 2014→High level description of folders/files/classes
| Line 41: | Line 41: | ||
The main entry-point for verification is <code>mozilla::pkix::BuildCertChain</code> in [https://mxr.mozilla.org/mozilla-central/source/security/pkix/include/pkix/pkix.h security/pkix/include/pkix/pkix.h]. This function takes a number of required arguments, including an implementation of a <code>mozilla::pkix::TrustDomain</code>, the certificate to verify, the time at which to verify, and whether this is an end-entity certificate or a CA certificate. Additionally, the caller may specify some required properties of some extensions if present. A known-in-advance OCSP response may be included as well. The function returns <code>SECSuccess</code> upon successful verification and <code>SECFailure</code> upon failure (in which case it sets an error code that can be obtained by calling <code>PR_GetError()</code>). The function will optionally return the trusted certificate chain found. | The main entry-point for verification is <code>mozilla::pkix::BuildCertChain</code> in [https://mxr.mozilla.org/mozilla-central/source/security/pkix/include/pkix/pkix.h security/pkix/include/pkix/pkix.h]. This function takes a number of required arguments, including an implementation of a <code>mozilla::pkix::TrustDomain</code>, the certificate to verify, the time at which to verify, and whether this is an end-entity certificate or a CA certificate. Additionally, the caller may specify some required properties of some extensions if present. A known-in-advance OCSP response may be included as well. The function returns <code>SECSuccess</code> upon successful verification and <code>SECFailure</code> upon failure (in which case it sets an error code that can be obtained by calling <code>PR_GetError()</code>). The function will optionally return the trusted certificate chain found. | ||
<code>mozilla::pkix::TrustDomain</code> is declared in [https://mxr.mozilla.org/mozilla-central/source/security/pkix/include/pkix/pkixtypes.h#44 security/pkix/include/pkix/pkixtypes.h]. An implementation of a <code>TrustDomain</code> is responsible for deciding the trust level of a given certificate, finding potential issuers of a given certificate, verifying the signature of a certificate, and determining the revocation status of a certificate. The <code>TrustDomain</code> implementation used by PSM is <code>mozilla::psm::NSSCertDBTrustDomain</code>. See [https://mxr.mozilla.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.h security/certverifier/NSSCertDBTrustDomain.h] and [https://mxr.mozilla.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp NSSCertDBTrustDomain.cpp]. | <code>mozilla::pkix::TrustDomain</code> is declared in [https://mxr.mozilla.org/mozilla-central/source/security/pkix/include/pkix/pkixtypes.h#44 security/pkix/include/pkix/pkixtypes.h]. An implementation of a <code>TrustDomain</code> is responsible for deciding the trust level of a given certificate, finding potential issuers of a given certificate, verifying the signature of a certificate, and determining the revocation status of a certificate. In most cases, a <code>TrustDomain</code> implementation will be able to call <code>mozilla::pkix::VerifySignedData</code> for signature verification. The <code>TrustDomain</code> implementation used by PSM is <code>mozilla::psm::NSSCertDBTrustDomain</code>. See [https://mxr.mozilla.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.h security/certverifier/NSSCertDBTrustDomain.h] and [https://mxr.mozilla.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp NSSCertDBTrustDomain.cpp]. | ||
<code>NSSCertDBTrustDomain</code> uses <code>mozilla::psm::OCSPCache</code> as an in-memory revocation cache. See [https://mxr.mozilla.org/mozilla-central/source/security/certverifier/OCSPCache.h security/certverifier/OCSPCache.h] and [https://mxr.mozilla.org/mozilla-central/source/security/certverifier/OCSPCache.cpp OCSPCache.cpp]. | |||
'''more information to come''' | '''more information to come''' | ||